00 

o 

0. 
UJ 



(19) 



J 



(12) 



(43) Date of publication: 

06.05.1 998 Bulletin 1 998/1 9 



rTT" iiiiiiiiiiiiiiiiii 

European Patent Office 
Office europeen des brevets (11) EP 0 840 478 A2 

EUROPEAN PATENT APPLICATION 

(51) Int CI. 6 : H04L 9/32 



(21) Application number: 97118704.2 

(22) Date of filing: 28.10.1997 



(84) Designated Contracting States: 


(72) Inventors: 


AT BE CH DE DK ES Fl FR GB GR IE IT LI LU MC 


• Takaragi, Kazuo 


NLPTSE 


Eblna-shi (JP) 


Designated Extension States: 


• Kurumatanl, Hiroyuki 


AL LT LV RO SI 


Yokohama-shl (JP) 


(30) Priority: 31.10.1996 JP 290525/96 


(74) Representative: 


(71) Applicant: Hitachi, Ltd. 


AKenburg, Udo, Dipl.-Phys. et al 


Patent- und Rechtsanwfihe, 


Chlyoda-ku, Tokyo 101-0062 (JP) 


Bardehle . Pagenberg . Dost . Altenburg . 




Frohwitter . Gelssler & Partner, 




Gallleiplatz 1 




81679 MOnchen (DE) 



(54) Digital signature generating/verifying method and system using public key encryption 



CM 
< 
CO 



(57) A digital signature generating/verifying method 
using a public key encryption scheme which ensures 
high security, reduction in length of the digital signature 
and independency of the length of the digital signature 
on that the order of a base point. In generating a digital 
signature, a first hash value (e) satisfying a condition 
that e = H(M) is determined for a given message (M) by 
using a hash function (H), a numerical value (x) is 
obtained from translation of a random number, a hash 
value (r) satisfying a condition that r = h(x) is determined 
by using a hash function (h) whose output value is 
shorter than that of the first hash function (H). and the 
digital signature is generated by using the hash values 
(e) and (r) as determined. For verification of an inputted 
digital signature, the hash value (e) satisfying the condi- 
tion that e = H(M) is determined, and for a numerical 
value (x) obtained from arithmetic operation of a public 
key (Q), a base point (P) and the inputted digital signa- 
ture (r, s), a hash value (r*) satisfying a condition that r' 
= h(x) on the basis of the hash value (e), the digital sig- 
nature (r, s), the base point (P) and the public key (Q) by 
using a hash function (h) whose output value is shorter 
than that of the first hash function (H). The hash value 
<r') is then compared with a tally (r) of the inputted digital 
signature to thereby verify the inputted digital signature. 
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Description 

BACKGROUND OF THE INVENTION 

5 The present invention relates to a method and a system for generating and/or verifying a digital signature by using 
a public key encryption method for securing the security in a computer network. 

The digital signature technology for imparting electric documents or the like for electronic comments or transactions 
with a function equivalent to that of a conventional seal (hanko in Japanese) promises high efficiency utilization of com- 
puter-network system. However, with the conventional electronic mail encryption technology (also known as Privacy 

10 Enhanced Mail or PEM in abbreviation), it is impossible to process more than one digital signature for a single 
enhanced mail. In this conjunction, in the electronic commerce fields, it is expected in the not-so-distant future that the 
electronic document such as message and the like affixed with a number of digital signatures including not only the dig- 
ital signature of a purchaser but also those of a distributor, salesman and/or monetary business-man will be handled. 
Under the circumstances, there arises a demand for the multiple digital signature technology which allows the electronic 

75 documents affixed with a plurality of digital signatures to be processed. In this conjunction, it is noted that a person 
received an electronic document affixed with a plurality of digital signatures will be forced to verify the authenticity of 
plural or N digital signatures written by other persons before writing or generating his or her own single digital signature. 
Thus, in order to enhance the availability of the digital signature facility in the computer network system, it will be 
required to increase the speed for verification of the plural (N) digital signatures. Besides, it is conceivable that in the 

20 electronic commerces, there is a possibility that comments may be added by a plurality of persons in the course of 
processing the electronic document. 

For having better understanding of the invention, description will first be made in some detail of the technical back- 
ground of the invention. As a typical one of the digital signature techniques known heretofore, there may be mentioned 
the public-key cryptography elliptic curve system disclosed in J. Kbeller, A. J. Menezes, M. Qu and S. A. Vanstone: 

25 "Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography Elliptic Curve Systems (Draft 8)" in "IEEE 
P1363 Standard" published by the IEEE, May 3, 1996 and May 14. 1996, respectively. 

Figure 9 is a schematic diagram showing generally a configuration of a computer network system in which the tech- 
niques disclosed in the above-mentioned literatures are adopted. 

Referring to Fig. 9, there are connected to a network 1001 a system manager's computer 1002, a user A's compu- 

30 ter 1003 and a user B's computer 1004 for mutual communication. 

Operations of the individual units shown in Fig. 9 will be described below. 

System Setgp 

35 The system manager's computer 1002 is in charge of generating an elliptic curve (E) 1006. Subsequently, a base 
point (also referred to as the system key) (P) 1007 of the order (n) 1008 is generated and registered in a public file 1005. 

Key Generation 

40 A key generating function module 1011 incorporated in the user A's computer 1003 is designed to execute the 
processing steps which will be mentioned below. 

Step 1 : In an interval [2, n - 2], an integer d A is selected at random as a private key. 

Step 2: A key Q A is computed in accordance with Q A = d A P. 
45 Step 3 : The key (Qa) 101 5 is opened to the public as the public key. More specifically, the public key (Qa) 1 0 1 5 is 
transmitted together with the identifier name of the user A to the system manager's computer 1002 via the 
network 1 00 1 , whereon the identifier name of the user A is written in the public file 1 005 at a column 1 009 
for the user A's name with the value of the public key (Q A ) 1 0 1 5 bei ng written in a column 1 0 1 0 for the publ ic 
keyQ A . 

so Step 4: In the user A's computer 1 003, the value of the private key (d^ 1 014 is held as the private key of the user A. 
Piqital Signature generation Process 

A digital signature generating function module 1033 incorporated in the user A's computer 1003 is designed to exe- 
55 cute the processing steps mentioned below. 

Step 1 : Message (M) 1016 is received. 

Step 2: Hash value e = H(M) is computed by using a hash function (H) 1028. 
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Step 3: Random number k is selected from the interval [2, n - 2] by using a random number generation function 
1029. 

Step 4: Point kP = (x, y) is computed by a so-called "scalar multiplication on elliptic curve (E)" 1030. 
Step 5: A first tally £ given by r = x + e (mod n) is determined in accordance with the modular computation "r = x + 
e (mod n) w 1031. 

Step 6: A private key (d>0 1017 is inputted to modular computation process "s o k • d A r (mod n)" 1032 for thereby 
determining a second tally s (= k - d A r (mod n)). 

Step 7: A message M 1016 and the digital signature (r, s) 1019 are sent to the user B's computer 1004 via the net- 
work 1001. 

As the parameters required for the computations performed by the digital signature generating function module 
1033, the elliptic curve (E) 1006, the base point which may also be referred to system key (P) 1007 and the order (n) 
1008 registered in the public file 1005 held by the system manager's computer 1002 are referenced. 

Digital Signature Verification Process 

A digital signature verifying function module 1023 incorporated in the user B's computer 1004 is designed to exe- 
cute the processing steps mentioned below. 

Step 1 : The user A's public key {Qp) 1010 is fetched from the public file 1005 held by the system manager's com- 
puter 1002 to be set as a public key (Q A ) 1020. Additionally, the base point (system key) (P) 1007 is fetched 
from the public file 1005 held by the system manager's computer 1002 to be set as the base point (P) 
1007B. Furthermore, the digital signature (r, s) 1019 sent from the user A's computer 1003 is received to be 
set as a digital signature (r, s) 1021. Besides, the message (M) 101 6 sent from the user A's computer 1003 
is received to be set as a message (M) 1022. 

Step 2: The base point or system key (P) 1007B. the public key (Qp) 1020, the digital signature (r, s) 1021 are input- 
ted to the process "scalar multiplication on elliptic curve (E) n and "addition" 1024 to thereby carry out the 
calculation "(x, y) =sP + rQ A ". 

Step 3: The message M 1022 is inputted into the hash function H 1025 to thereby compute the hash value e = H(M). 
Step 4: Through the computation process Y = x + e (mod n)" 1026, a first tally V = x + e (mod n)" is determined. 
Step 5: When the decision "r = f T 1 027 results in r = r' or YES, data "authenticated" is outputted. and if otherwise, 
"not authenticated" is outputted. 

As the parameters required for the computations performed by the digital signature verifying function module 1 023, 
the elliptic curve (E) 1006, the base point or system key (P) 1007 and the order (n) 1008 as registered in the public file 
1005 held by the system manager's computer 1002 are referenced. 

Through the processes described above, the digital signature (r, s) functions as an electronic seal (i.e., seal or 
"hanko" impressed electronically by the user A for the message M. To say in another way, the user B can hold the set 
of the message M and the digital signature (r, s) as the evidence indicating that the message M is issued by the user A. 
Further, although the user B can recognize the authenticity of the set of the message M and the digital signature (r, s), 
the user B can not originally generate the set of the message M and the digital signature (r, s). For this reason, the user 
A can not negate later on the fact that the digital signature (r, s) has been generated by the user A. 

However, the conventional system described above suffers the problems which will be elucidated below. 

(1) Insufficient Proof for Security 

In general, generation of a digital signature by a person having no private key provides a problem. If otherwise, 
the authenticity of the digital signature can not be ensured, degrading the credrtabtlity of the electronic commerce 
and rendering it impractical. 

In the conventional system described above, it is required to provide that such tally combination (r, s) can not 
be generated which allows the output "authenticated' to be generated in the course of the digital signature verifica- 
tion processing without knowing the private key d A However, the conventional system provides no proof to this end. 
Parenthetically it should be mentioned that the problem mentioned above has been pointed out in conjunction with 
EIGamal signature technology on which the conventional system described above is based. 

(2) Long bit length of the digital signature 

Now, assuming that relevant parameters have respective bit lengths as follows: 

(a) The bit length representing the order n of the base point P is / n bits (e.g. 160 bits). 

(b) The bit length representing the output of the hash function H is / H bits (e.g. 1 60 bits). 
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(C) The bit length of the private key d A 15 / d bits (e.g. 160 bits). 

The output value of the hash function H given by of 160 bits is considered as being necessary in view of the 
fact that the hash function H has a collision-free property. In this conjunction, it is contemplated with the phrase "col- 

s lision-free property" to mean that difficulty is encountered in finding two different input values which result in a same 
output value in view of the computational overhead. By way of example, in the case where the output value of a 
hash function H is 160 bits, it will be possible to find two different input values which results in a same output value 
by carrying out an attack method known as "Paradox of Birthday" a number of times on the order of 2 80 on an aver- 
age, which is however difficult in view of the computational overhead. 

w Further, the bit length of 1 60 bits for the order a of the base point (system key) is considered as being neces- 

sary because of difficulty of solving the discrete logarithm problem relevant to the addition on the elliptic curve. 

In this case, when the length of the tally £ of the digital signature (r, s) is of / n bits with the length of the tally s 
being of l n bits, then the total bit number amounts to (/ n + /„) bits (eg. 320 bits). 

(3) The length of the digital signature is determined in dependence on the length of the parameter o of the elliptic 
75 curve. Consequently, when the length of the parameter q is increased for ensuring the security of the digital signa- 
ture more positively in the future, the length of the digital signature increases correspondingly. Parenthetically, in 
conjunction with RSA and EES, it is noted that the length of the parameter n is unavoidably increased because of 
enhancement of the decryption method and the computer performance promoted as a function of the time lapse. 
Same will apply equally to the elliptical encryption in the future. To say in another way, it is expected that the length 
20 of the parameter n will necessarily increase as the decryption technology and the computer performance are 
enhanced as a function of time lapse. Such being the circumstances, it is desirable in conjunction with the elliptic 
encryption to realize the digital signature which does not depend on the length of the order q of the base point or 
system key P. 

25 SUMMARY OF THE INVENTION 

In the light of the state of the art described above, it is an object of the present invention to provide a digital signa- 
ture generating and/or verifying method and system using a public key encryption scheme with high security as well as 
a recording medium for storing a program for carrying out the method. 

Another object of the present invention is to provide a digital signature generating and/or verifying method and sys- 
30 tern using a public key encryption scheme, which allows the bit length of the digital signature to be shortened, and a 
recording medium for storing a program realizing the same. 

Yet another object of the present invention is to provide a digital signature generating/verifying method and system 
which are based on the use of a public key encryption method in which the length of the digital signature is made to be 
independent of the length of the order of the base point, and a recording medium employed for storing a program real- 
35 izing the same. 

In view of the above and other objects which will become apparent as the description proceeds, there is provided 
according to a first generic aspect of the present invention a digital signature generating/verifying method of generating 
and/or verifying a digital signature authenticating electronically a signature affixed to a given document or message (M) 
by resorting to a public key encryption scheme. The digital signature generating/verifying method includes processing 
40 steps of determining for the given document or message (M) a hash value (e) satisfying a condition that e = H(M) by 
using a hash function (H), and determining for a numerical value (x) derived from translation of a random number a hash 
value (r) satisfying a condition that r = h(x) by using a hash function (h) whose output value is shorter than that of the 
first-mentioned hash function (H). 

Further, according to another general aspect of the present invention, there is provided a digital signature generat- 
es ing and/or verifying method of generating or verifying a multiple digital signature authenticating electronically signatures 
affixed to document such as messages and/or comments (Mj) as created and/or added sequentially by N users i (where 
i = 1, .... N) by using a public key encryption scheme. The digital signature generating/verifying method includes the 
steps of (a) determining for a given one of the messages (Mj) a hash value (eft satisfying a condition that e t = H(Mj) by 
using a hash function (H), (b) determining for a numerical value (X|) obtained from translation of a random number a 
so hash value {r) satisfying a condition that r { = h(Xj) by using a hash function (h) whose output value is shorter than that 
of the first-mentioned hash function (H) and (c) executing the above-mentioned steps (a) and (b) for each of the users 
i (where i = 1, N). 

According to another general aspect of the present invention, there is provided a digital signature generating/veri- 
fying system for generating a digital signature authenticating electronically a signature affixed to a given message (M) 
55 by resorting to a public key encryption scheme. The digital signature generating/verifying system is composed of a 
processing unit for determining for the message (M) a hash value (e) satisfying a condition that e = H(M) by using a 
hash function (H), a processing unit or module for determining for a numerical value (x) obtained from translation of a 
random number a hash value (r) satisfying a condition that r e h(x) by using a hash function (h) whose output value is 
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shorter than that of the hash function (H). 

Furthermore, according to another general aspect of the present invention, there is provided a digital signature 
generating and/or verifying system for generating and/or verifying a multiple digital signature authenticating electroni- 
cally signatures affixed to document such as messages and/or comments (Mj) as created and/or added sequentially by 

5 N users i (where i = 1 N) by resorting to the use of a public key encryption scheme, wherein the digital signature 

generating/verifying system includes a module for determining for a given one of the messages (Mj) a hash value fa) 
satisfying a condition that e, = H(Mj) by using a hash function (H), a module for determining for a numerical value (x,) 
derived from translation of a random number a hash value (fj) satisfying a condition that r t = hfc) by Using a hash func- 
tion (h) whose output value is shorter than that of the first-mentioned hash function (hi), and a module for validating the 
10 above-mentioned modules for each of the users i (where i = 1 , ... t N). 

The above and other objects, features and attendant advantages of the present invention will more easily be under- 
stood by reading the following description of the preferred embodiments thereof taken, only by way of example, in con- 
junction with the accompanying drawings. 

is BRIEF DESCRIPTION OF THE DRAWINGS 

In the course of the description which follows, reference is made to the drawings, in which: 

Fig. 1 is a schematic block diagram showing generally a system configuration according to an exemplary embodi- 
20 ment of the present invention; 

Fig. 2A is a block diagram showing a system configuration of a single digital signature generating/verifying unit exe- 
cuted by a user A's personal computer shown in Fig. 1 ; 

Fig. 2B is a flow chart for illustrating a processing involved in the single digital signature generation algorithm exe- 
cuted by the user A's personal computer in conjunction with the system shown in Fig. 1 ; 
25 Fig. 3 is a flow chart for illustrating a processing for a single digital signature verification processing or algorithm 
executed by a user B's personal computer in the system shown in Fig. 1 ; 

Fig. 4 is a flow chart for illustrating a processing for a duple digital signature generation processing or algorithm 
executed by the user B's personal computer in the system shown in Fig. 1 ; 

Fig. 5 is a flow chart for illustrating a processing for a duple digital signature verification processing or algorithm 
30 executed by a user C's personal computer in the system shown in Fig. 1 ; 

Fig. 6 is a block diagram showing a computer network configuration according to another embodiment of the inven- 
tion; 

Fig. 7 is a flow chart for illustrating a processing for a triple digital signature generation algorithm executed by the 
user C's personal computer shown in Fig. 6; 
35 Fig. 8 is a flow chart for illustrating a processing for a triple digital signature verification algorithm executed by a user 
D's personal computer in the system shown in Fig. 6; and 

Fig. 9 is a schematic diagram showing generally a configuration of a conventional computer network system 
designed for transferring electronic documents affixed with digital signatures known heretofore. 

40 DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Now, the present invention will be described in detail in conjunction with what is presently considered as preferred 
or typical embodiments thereof by reference to the drawings. In the following description, like reference characters des- 
ignate like or corresponding parts throughout the several views. Also in the following description, it is to be understood 
45 that such terms as "document", "comment", "message" and the like are words of convenience and are not to be con- 
strued as limiting terms. 

Figure 1 is a schematic block diagram showing generally a system configuration according to an exemplary embod- 
iment of the invention. Referring to the figure, there are connected to a network 101 , a user A's personal computer 102, 
a user B's personal computer 103 and a user C's personal computer 104. In the user A's personal computer 102, a user 

so A's signature (^ , 111 is generated for a user A's created document (M t ) 1 10 by using a base point which may also 
be referred to as the system key (P) 1 1 7 and a user A's private key (d^ 1 1 8 in accordance with a single digital signature 
generation algorithm (AL^ 105 to be subsequently sent to the user B's personal computer 103 via the network 101 . In 
this conjunction, V and "s," of the user A's signature (r 1( s n ) 111 are defined as a first tally and a second tally, respec- 
tively. In the user B's personal computer 103, authenticity of the user A's issued document 109 composed of a set of 

55 the user A's created document (M^ 110 and the user A's signature (r 1( s^ 1 11 is verified by using a base point or sys- 
tem key (P) 1 19 and a user A's public key (Q^ 120 in accordance with a angle digital signature verification algorithm 
(ALj 1 ) 106 and at the same time, a user A's and B's multiple signature (r 1p r 2 , S2) 1 13 is generated for the user A's cre- 
ated document (M t ) (i.e., document M 1 created by user A) 1 15, the user A's signature , s^ 1 1 1 and a user B's addi- 
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tion such as comment (M2) 11 4 by using the base point (P) 1 1 9 and the user B's private key (d^ 121 in accordance with 
a duple digital signature generation algorithm (AL 2 ) 107 to be subsequently sent to the user C's personal computer 104 
via the network 101. In the user C's personal computer 104, authenticity of the user B's issued document 112 com- 
posed of the set of the user A's created document (Mj) 115 and the user B's addition or comment (M2) 114 as well as 
s the user A's and B's multiple (duple) signature (r 1( r 2 , Sg) 1 1 3 is verified by using the base point (P) 122, a user A's public 
key (Qj) 1 23 and a user B's public key (Qa) 124 in accordance with a duple digital signature verification algorithm (AL 2 ') 
108. 

Figure 2A is a block diagram showing a system configuration of the single digital signature generation/verification 
system shown in Fig. 1 and Fig. 2B is a flow chart for illustrating the processing for the single digital signature genera- 
io tion algorithm (AL,) 105 mentioned previously in conjunction with the system shown in Fig. 1 . Description wilt now be 
made by reference to Figs. 2A and 2B. 

The system configuration shown in Fig. 2A bears correspondence to the one shown in Fig. 9. It can be seen that 
the former differs from the latter in respect to the algorithm in the digital signature generating blocks 1 03 1 and 1 032, the 
algorithm in the digital signature verifying block 1026 and the output algorithm in the block 1024. 

75 

Single Digital Signature Generation Alnorithm (ALj) 105 



20 



Step 201: 
Step 202: 

Step 203 
Step 204 
Step 205 
Step 206 
Step 207; 
Step 208 
Step 209: 



Processing for executing this algorithm (AL|) 105 is started. 

The user A's created document (M^ 110, the base point (P) 117 and the user A's private key (d1) 118 are 
inputted. 

A random number kj of l H bits is generated. 
Computation is performed for determining ^P = (x 1p y<|). 
Hash value r 1 (= h(xt)) of t^/Z bits is computed. 
Hash value e 1 (= H(M-,)) of i H bits is computed. 

Computation is performed for determining a tally s-| in accordance with s-i = kj + d^ej + (mod n). 
Value of the single digital signature (r v 111 is outputted. 
The processing is terminated. 



30 



35 



The single digital signature generated through the processing described above corresponds to an electronic image 
of a seal ("hanko" in Japanese) impressed on the message M-) by the user A. In other words, the single digital signature 
(r-i , s^ can be generated only when the private key d 1 equivalent to the seal kept only by the user A is used for the mes- 
sage Mi as furnished. 

Figure 3 is a flow chart for illustrating a processing for the single digital signature verification algorithm (AL^) 106 
in conjunction with the system shown in Fig. 1 . Description will now be made by reference to Fig. 3. 

Sinole Digital Signature Verification Algorithm (AL tf 106 



40 



45 



50 



Step 301: 
Step 302: 
Step 303: 
Step 304: 
Step 305: 

Step 306: 
Step 307: 

Step 308 
Step 309 
Step 310 
Step 311 



Processing is started. 

The user A's created document (M^ 1 10 and the single digital signature (r 1( s-,) 111 is inputted. 
The system key (P) 1 19 and the public key (Q^ 120 are inputted. 
Hash value e<\ = H(M0 of l H bits is computed. 

Computation is performed for determining a first point on an elliptic curve, i.e., a first elliptic point (x 1( y-j) 
= s 1 P-(e 1 +r 1 )Q 1 . 

A numeric value r^ = h(x 1 ) is computed. 

When the condition that ^ = r^ is met, the processing proceeds to a step 308 while if otherwise to a step 
310. 

A signal or data "authenticated" is outputted. 

The first elliptic point (x 1t is outputted, whereon the processing proceeds to a step 31 1. 
"Not authenticated" is outputted. 
The processing is then terminated. 



Through the processing described above, it can be confirmed whether or not the single or simple digital signature 
(r 1t is a correct signature, i.e., whether or not the single digital signature (r 1p Si) corresponds to the correct or true 
seal image. More specifically upon reception of the message Mi and the single or simple digital signature (r 1( Si), the 
55 user B (or user B's computer) checks to confirm the authenticity of the digital signature by referencing the public key Qi 
which corresponds to the registered seal ("hanko"). 

Figure 4 is a flow chart for illustrating a processing for the duple digital signature generation algorithm (ALg) 1 07 in 
conjunction with the system shown in Fig. 1 . Description will now be made by reference to Fig. 4. 
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Duole Digital Signature Generation Algorithm (AL^) 107 



Step 401: 
Step 402: 

5 

Step 403 
Step 404 
Step 405 
Step 406 
10 Step 407 
Step 408 
Step 409 
Step 410 
Step 411 



15 



20 



25 



30 



35 



Processing is started. 

User B's addition or comment (M^ 1 14, the base point (or system key) (P) 1 19 and the user B's private 
key (d 2 ) 121 are inputted. 

The first point (x 1( y0 on the elliptic curve outputted in the step 309 is fetched. 

A random number k 2 of l H bits is generated. 

A point (x, y) = kgP is computed. 

A second point (x 2 , y^ = (x 1f y^ + (x, y) is computed. 

Hash value r 2 = h(x;>) of / H /2 bits is computed. 

Hash value 62 = H(Ms) of l H bits is computed. 

Computation for determining a tally given by S2 = Sj + k 2 + d 2 (e2 + ^ + x£ (mod n) is performed. 
Value of the duple digital signature (r 1( r 2 , s^ 1 13 is outputted. 
The processing comes to an end. 



The duple digital signature (r 1( r 2 , S2) generated through the processing described above corresponds to the seal 
image impressed on a whole document prepared by adding the user B's comment or addition (M^ 1 14 to the message 
(M^ 110 created by the user A and affixed with the single digital signature (r 1f s-,) 1 11. More specifically, when the mes- 
sage M 1 created by other person (user A) and affixed with the other person's single digital signature or the user A's sin- 
gle digital signature (r 1( in the case of the illustrated example is received by the user 6 and when the user B wants 
to add the comment M 2 , the duple digital signature (r 1t r 2 , $2) is generated, which indicates that the seal is impressed 
for the whole document by using the private key d 2 corresponding to the seal which only the user B possesses. 

Figure 5 is a flow chart for illustrating a processing for a duple digital signature verification algorithm (AL 2 ) 108 in 
conjunction with the system shown in Fig. 1 . Description will now be made by reference to Fig. 5. 

PmpIs Digital Signatwe Verification Algorithm (Alg) 1P8 
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Step 501: 
Step 502: 

Step 503: 

Step 504: 
Step 505: 
Step 506: 
Step 507: 
Step 508: 
Step 509: 
Step 510 
Step 511 
Step 512 



Processing is started. 

The user A's created document (Mj) 1 15, the user B's added comment or addition (M2) 114, and the 
duple digital signature (r 1 , r 2 , s 2 ) 1 13 are inputted. 

The base point or system key (P) 122, the user A's public key (Q-i) 123 and the user B's public key (Q 2 ) 
124 are inputted. 

A hash value e 1 = H{M^) of l H bits is computed. 
A hash value e 2 = H(M 2 ) of t H bits is computed. 

A second elliptic point given by (x 2 , y^ = s 2 P - (e^ + r^Qi - (e 2 + r 1 +r 2 )Q 2 is computed. 
A numerical value r 2 ' = h(x^) is computed. 

When r 2 = r 2 ', the processing proceeds to a step 509, and if otherwise, to a step 51 1 . 
A signal "authenticated" is outputted. 

The second elliptic point (x 2 , y 2 ) is outputted, whereon the processing proceeds to a step 512. 
A signal or data "not authenticated" is outputted. 
The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the duple digital signature (r 1( r 2 , s 2 ) is a 
correct signature, i.e. , whether or not the duple digital signature (r 1 , r 2 , S2) corresponds to the correct or true seal image. 
45 More specifically, upon reception of the message M 1( message M 2 and the duple digital signature (r 1( r 2 , s 2 ), the user 
C checks to confirm that the digital signature is made authentically by the very users A and B by referencing the public 
keys and Q 2 which correspond to the registered seals. In that case, the user C can confirm the authenticity of the 
digital signature without using either the private key d? corresponding to the user A's seal or the private key d 2 corre- 
sponding to the user B's seal. 

so in the foregoing, generation of the duple digital signature by using two private keys d 1 and d 2 has been described 
as an exemplary embodiment of the invention. In this conjunction, it should be mentioned that the principle underlying 
the digital signature generating/verifying method described above can be extended in general for the generation of an 
N-tuple digital signature generated by using N private keys d 1t d 2 , d N . 

Figure 6 is a block diagram showing a computer network configuration according to another embodiment of the 

55 invention on the assumption that the system is expanded so as to enable triple digital signatures, i.e., N = 3. Referring 
to the figure, there are newly connected to the network 101 , a user D's personal computer 606 in addition to the user 
A's personal computer 102, the user B's personal computer 103 and the user C's personal computer 104. Set up newly 
in the user C's personal computer 104 in addition to the dual digital signature verification algorithm (AL 2 1 108, the sys- 
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tern key or base point (P) 122, the user A's public key (Q^ 123 and the user B's public key (Q 2 ) 124 are a triple digital 
signature generation algorithm (AL 3 ) 604 and a user C's private key (d 3 ) 605. The user C's personal computer 104 cre- 
ates a user C's issued document 601 and sends it to the user D's personal computer 606. The user C's issued docu- 
ment 601 contains newly a user C's addition or comment (M 3 ) 603 and users A's. B's and C's signatures (r 1( r 2 , r 3 . s 3 ) 
602 in addition to the user A's created document (M^ 613, the user B's addition such as a comment (M 2 ) 614 and a 
user A's and B's signatures (r 1( r 2 , s 2 ) 612. Set up in the user D's personal computer 606 are a triple digital signature 
verification algorithm ( AL 3 ') 607, a base point (P) 608, the user A's public key (Q 1 ) 609, the user B's public key (Q 2 ) 61 0 
and the user C's public key (Q3) 611 . 

Figure 7 is a flow chart for illustrating a processing for the triple digital signature generation algorithm (AL 3 ) 604 
executed by the user C's personal computer 1 04 shown in Fig. 6. 

Triple Digital Signature Generation Algorithm ( AL j 604 



Step 701: 
Step 702: 

Step 703 
Step 704 
Step 705 
Step 706 
Step 707 
Step 708 
Step 709 
Step 710 
Step 411 



Processing is started. 

The user C's addition or comment (M 3 ) 603, the private key (d 3 ) 605, the base point (P) 122 and the duple 

digital signature (r 1t r 2 . $2) 612 are inputted. 

Second elliptic point (x 2 , y^ outputted in the step 510 is fetched. 

A random number k 3 of / H bits is generated. 

A point k 2 P = (x, y) is computed. 

Coordinates (x 3 , y$ = (x 2 , y 2 ) + (x, y) are computed. 

A hash value r 3 = h(x 3 ) of 1 H I2 bits is computed. 

A hash value e 3 = H(M 3 ) of l H bits is computed. 

A tally s 3 = s 2 + + d 3 (e 3 + n + r 2 + r 3 ) (mod n) is computed. 

Value of the triple digital signature (r 1( r 2 , r 3 , s 3 ) 602 is outputted. 

The processing is terminated. 



The triple digital signature (r 1t r 2 , r 3 , s 3 ) generated through the processing described above corresponds to the seal 
image impressed on a whole document obtained by adding the user C's comment or addition M 3 to the messages M 1 
and M2 affixed with the users A and B's multiple digital signatures (r 1f r 2 , s^. More specifically, when the messages M 1 
and M 2 affixed with other users' multiple digital signature (i.e., the users A's and Bs' multiple digital signatures in the 
case of the illustrated example) (r 1t r 2 , are received by a user (i.e., user C) and when the user C wants to add the 
comment M 3 , the triple digital signature (r 1t r 2 , r 3 , $$) can be generated for the whole document created by the users A 
and B and added with the comment M 3 by the user C only by using a private key d 3 corresponding to the seal which 
only the user C possesses. 

Figure 8 is a flow chart for illustrating a processing for the triple digital signature verification algorithm (AL 3 ') 607 
executed by the user D's personal computer 606 in conjunction with the system shown in Fig. 6. Description will now 
be made by reference to Fig. 8. 



Triple Digital Signature Verification Algorithm ( AU1 607 



Step 801: 
Step 802: 

Step 803: 

Step 804 
Step 805 
Step 806 
Step 807: 

Step 808 
Step 809 
Step 810 
Step 811 
Step 812 
Step 813 



Processing is started. 

The user A s created document (M^ 613, the user B's addition or comment (M^ 614, the user C's addition 

or comment (ivy 603 and the triple digital signature (r 1( r 2 , r 3 , $2) 602 is inputted. 

The base point (P) 608, the user A's public key (Q-,) 609, the user B's public key (Qg) 610 and the user 

C's public key (Q 3 ) 611 are inputted. 

A hash value e t = HfMj) of £ H bits is computed. 

A hash value e 2 = H(M 2 ) of Ih bits is computed. 

A hash value e 3 = H(M 3 ) of £ H bits is computed. 

A third point on the elliptic curve, i.e., a third elliptic point (x^ y 3 ) = s 3 P - (ej + r 1 )Q 1 - (ea + ^ +r 2 )Q 2 -(63 
+ r t +r 2 + r 3 )Q 3 is computed. 
Tally r 3 = h(x 3 ) is computed. 

When r 3 = r 3 , the processing proceeds to a step 810, and if otherwise, proceeds to a step 812. 
Signal "authenticated" is outputted. 

The third elliptic point (x 3 , y 3 ) is outputted, whereon the processing proceeds to a step 813. 
Signal "not authenticated" is outputted. 
The processing comes to an end. 



Through the processing described above, it is confirmed whether or not the triple digital signature (r 1t r 2 , r 3 , s 3 ) is 
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a correct signature, i.e., whether or not the triple digital signature (r 1t r 2 , r 3 , S3) corresponds to the correct or true seal 
image. More specifically, upon reception of the message M 1( the message M 2 , the message M 3 and the triple digital 
signature (r 1t r 2 , r 3 , S3), the user D can check to confirm whether or not the digital signatures have been made by the 
very users A, B and C by referencing the public keys Q-i , Q2 and Q 3 which correspond to the registered seals ("hanto") 
of the users A, B and C, respectively. 

The above-mentioned digital signature generation/verification method can be expanded to the case where N is 
equal to or greater than "4" (four). In other words, in general, a digital signature generating/verifying method for verifying 
electronically a multiple digital signature affixed to messages and/or comments Mj created and/or added by N users (i 
= 1 N) can be carried out in general as follows: 

Procedure for Verifying Multiple Digital Signature by Users i (2 < i < fsh 



15 



20 



Step 90 1 : Processing is started. 

Step 902: The (i - 1 ) messages or comments M 1 M h1 and the (i - 1)-tuple digital signature (r t , .... r M , s M ) issued 

by an immediately preceding user (i - 1) are received. 
Step 903: Computation of a hash value e* = H(M|j is repeated for the user (i - 1) starting from k = 1 . 
Step 904: Public keys Qj< previously generated for satisfying Q k = c^P and registered are inputted repetitionally for 

the user (i - 1 ) starting from k = 1 . 
Step 905: A point (Xj. 1t y^) on the elliptic curve given by the following expression (5) is computed. 

M k 
(^i.yM) = S/.i/ 5 -I(e^ £ r m)O k 

*-1 M-1 



25 



Step 906: 
Step 907: 
Step 908: 
Step 909: 
30 Step 910 



A hash value r M ' = h(x M ) is computed. 

When r M = r M \ then data or signal indicating "authenticated" is issued. 

Point (Xj.L y M ) on the elliptic curve is outputted, whereon the processing proceeds to a step 910. 

If r M * r M ', data indicating "not-authenticated" is issued. 

The processing comes to an end. 



35 



In other words, the digital signature generation/verification method for generating electronically the multiple digital 

signature affixed to messages and/or comments (i.e., document) Mj created or added by N users (i = 1 N) can be 

performed as follows: 

Generation Procedure 0 f Multiple pjqjta| Signature by Uggrs j (2 £ j $ N) 



40 



45 



Step 1001 
Step 1002 
Step 1003 
Step 1004: 
Step 1005: 
Step 1006 
Step 1007; 
Step 1008 



Processing is started. 

The point (x M , Y^) obtained at the step 908 is inputted. 

A hash value ej = H(Mj) is computed. 

A random number kj is generated. 

Point kjP = (x, y) is computed. 

Point (Xj, yj) = (x M , Y M ) + (x, y) are computed. 

A hash value r 1 = h(X|) is computed. 

By using private keys d j( the tally s ; given by the following expression is determined. 



50 



s f = s M + k, + d, (e, + £ r k ) (mod n) 



55 



Step 1009: A set of the numerical values (r t r { Sj) is outputted as the digital signature. 

The embodiments of the invention described by reference to Figs, 3 to 5 are directed to the multiple digital signature 
realized by making use of the addition defined on the elliptic curve. However, in general, such multiple digital signature 
can equally be realized by resorting to binary operation defined on the abelian group. 

By way of example, in a set 2 n of integers from T to ff n - 1 " (where q represents a large prime number on the order 
of 1,000 bits), multiplication is defined in the world of modulo n. Then, z n represents an abelian group. The base point 
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P (1 < P < n) is selected appropriately with the private key g and the public key Q being so selected that the following 
relation can apply valid: 

Q = P d (modn) (1) 

5 

In conjunction with the above expression (1), it is noted that the problem of determining d tor given values of Q, P 
and n represents a discrete logarithm problem which is difficult to solve in view of the computational overhead when the 
value of n is large. 

On the presumption mentioned above, the single digital signature generation algorithm (ALj) 105 described previ- 
io ously by reference to Fig. 2, for example, is modified as follows: 



Single Digital Signer? Gene^Qn Algorithm (ALjl 



Step 201 
Step 202 
Step 203 
Step 204 
Step 205 
Step 206 
Step 207 
Step 208 
Step 209 



The processing is started. 

The user A's created document M 1a the base point P and the private key d1 are inputted. 
A random number or integer ^ of l H bits is generated. 
Computation is performed for determining x-| = P*1. 
A hash value ^ = h(xO of 1^12 bits is computed. 
A hash value e 1 = H(Mt) of l H bits is computed. 

Computation is performed for determining the tally s 1 « k 1 + d 1 (e 1 + ^) (mod n). 
Value of the single digital signature (r 1( s<|) is outputted. 
The processing comes to an end. 



The single digital signature (r 1t obtained, being modified as mentioned above, brings about advantageous 
25 effects similar to those obtained in the digital signature generating/verifying method described hereinbefore by refer- 
ence to Fig. 2. Similar modification of the multiple digital signatures can provide similar advantages as those mentioned 
hereirtoefore. 

With the arrangements of the digital signature generating/verifying systems described above, there can be assured 
such advantageous effects as mentioned below. 

30 

(1) It is impossible to forge a digital signature of other person without knowing the other person's private key. Secu- 
rity concerning the forgery prevention of the single digital signature (r-, , s-|) will be demonstrated by the proposition 
1 described hereinafter. 

(2) The length of the digital signature can be shortened. By way of example, assuming that the order a is 160 bits 
35 and that the length of the output value of the total hash function H is 160 bits, then the length of the single digital 

signature in the conventional system is 240 bits. By contrast, in the case of the systems according to the invention, 
the length of the single digital signature is 240 bits. Furthermore, the length of the duple digital signature in the con- 
ventional system is 640 bits, whereas in the systems according to the invention, it is only 320 bits. In general, in the 
case where the N-tuple digital signature is affixed, the total length of the digital signatures is of 320 x N bits, 
40 whereas in the system according to the present invention, it is 160 + 80 x N bits. Thus, when the value of N is large, 
the length of the digital signature according to the invention can be reduced by ca. 1/4 when compared with the sig- 
nature length in the conventional system. In other words, the length of the digital signature can be significantly 
reduced according to the teachings of the invention. 

(3) According to the invention, it is possible to make the length of the digital signature be independent of the length 
45 of the order n. Assuming now that the length of the output of the total hash function H is sufficiently greater than 

that of the random integer fc the length of the tally s of the signature can be suppressed smaller than the length of 
the outputs of the total hash function H plus the length of the private key & Thus, independent of the length of the 
order n, the length of the N-tuple digital signatures can be made to be not greater than "the length of the output of 
the whole hash function H + private key g + N x length of the output of the half-ha6h function h\ 

50 

In each of the digital signature generation/verification system according to the embodiment of the invention 
described above, the processing steps of executing the digital signature generating method can be stored in the form 
of a programs in a recording medium such as a CD-ROM, a f loppy-disk, a semiconductor memory or the like, wherein 
the program can be loaded and executed in a computer for generating the digital signature for thereby generating the 
55 digital signature. Similarly, the processing steps included in the input digital signature verifying method can be loaded 
in the computer for the digital signature verification in the form of a program to be executed for verifying the digital sig- 
nature. Needless to say, the digital signature generating/verifying program mentioned above may be down-loaded to cli- 
ent personal computers from the server computer. 
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Lemma (Subsidiary Prpppsition) 1 



It is presumed that H represents a hash function having a one-way property, the algorithm AL is not difficult to exe- 
cute in view of the computational overhead and that data generated without resorting to the use of the hash function is 
5 inputted to thereby generate on a memory in the course of computation the numerical values of x and y which satisfy 
the equation "y = H(x)". In that presumed case, the numerical value y can never make appearance on the memory so 
long as the numerical value x has not made appearance ever on the memory in the past. 



Demonstration 

10 

Demonstration will be made by resorting to "reductio ad absurdum (reduction to absurdity)" or irrationality. It is 
assumed that the value y satisfying the function y = H(x) has made appearance on the memory in precedence to the 
value x. However, since the hash function H is of the one-way property, computation for the reverse transformation of 
the hash function H, i.e., x = H' 1 (y) is impossible. Accordingly, in order to generate the value x on the memory it is nec- 
75 essary to supply externally such input data from which the value x capable of satisfying the hash function y = H(x), 
which however contradicts to the inputting of the data generated without using the hash function H. 
The Demonstration of the lemma 1 is now concluded. 



Proposition 1 

20 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally, it is assumed that the hash function H( • ) of l H bits has collision-free property as well as the one-way prop- 
erty. Furthermore, it is presumed that the hash function h( • ) of 1^/2 bits has also the one-way property. In that case, 
when i n £ t H , there exists no algorithm AL 3 which can output in response to the inputting of the base point (system key) 
25 P and the public key Q 1 the message M-j and the single digital signature (r 1( for which the algorithm AL-) outputs 
"authenticate" so long as the private key d-i is unknown. 



Demonstration 



30 Now, it is supposed that such algorithm AL 3 exists which can output in response to the inputted system key or base 
point P and the public key Q-i , the message Mi and the single digital signature (r-, , s-i) for which the verification process- 
ing ALj' outputs "authenticate" without knowing the private key d v More specifically, it is supposed that such algorithm 
AL 3 exists for which the inputs and the outputs are as follows: 



35 input to the algorithm AL 3 : 

system key (base point) P, and public key 

Output from the algorithm AL3 : 

message M-,, single digital signature (r 1( sj) 



40 where the message Mj and the single digital signature , s t ) satisfy the following conditions: 



(xvy^-s^-^+r^Q, (2) 

r,=h(x,) (3) 

45 

e^HtM,) (4) 



It should be noted that l n £ £ H holds true. 

On the conditions mentioned above, the number of the outputs from the algorithm AL 3 is three, i.e., , and r t . 
so Accordingly, in the course of the processing according to the algorithm AL 3 , the correct output values make appearance 
in either one of the orders or sequences mentioned below: 



Case 1 : Correct output values make appearance in the sequence of s-, , ^ and M<| . 

Case 2: Correct output values make appearance in the sequence of r 1t and Mj. 

55 Case 3: Correct output values make appearance in the sequence of , Mf and ^ . 

Case 4: Correct output values make appearance in the sequence of Mj , and r-j . 

Case 5: Correct output values make appearance in the sequence of ^ , Mj and . 

Case 6: Correct output values make appearance in the sequence of Mj , ^ and s A . 
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In the cases 1 and 2 mentioned above, the correct output values of s 1 and r 1 make appearance in precedence with 
the correct value of the message M 1 making no appearance at a given time point in the course of the processing. Since 
h in the expression (3) represents the hash function, the correct output value of the tally x 1 must make appearance in 
precedence to that of the tally n in the light of the "Lemma 1" stated previously. When the value of the tally x-, is deter- 
mined the value of the tally y? assumes either one of two values ±p because the term (x 1 , yj) in the expression (2) rep- 
resents a point on the elliptic curve E. In correspondence to the value +p or -p of the tally y 1t the hash value e-, which 
can satisfy the condition given by the expression (2) is limited to two different values. After the time point of concern, 
the message M 1 satisfying the condition given by the expression (4) so that the hash value e 1 assumes either one of 
the two value must be determined, which however contradicts to the fact that "H" in the expression (4) represents the 
hash function. Accordingly, the situations corresponding to the Cases 1 and 2 can not take place. 

In the Cases 3 and 4 mentioned above, the correct output value of s 1 and the message M 1 make appearance in 
precedence with the correct value of the correct output value r 1 making no appearance at a given time point in the 
course of the processing. At this time point, the hash value e-t can be determined definitely in accordance with the 
expression (4). After this time point, the value of the tally r 1 satisfying the conditions given by the expressions (2) and 
(3) must be determined. However, it will never occur that the correct output value of the tally r 1 makes appearance at 
first, being followed by determination of the value for the coordinate x v This is because "h" in the expression (3) repre- 
sents the hash function. Besides, such case will not occur in which the correct output value of x-, makes appearance in 
precedence and thereafter the value of r 1 is determined. Because, if otherwise, the discrete logarithm problem concern- 
ing the addition on the ellipse can be solved in conjunction with the expression (2), which contradicts the proposition 
stated hereinbefore. In other words, the value of ^ can not be determined at any time point. Thus, the situations corre- 
sponding to the Cases 3 and 4 can not occur. 

In the Cases 5 and 6 mentioned above, the correct output values of the tally r-, and the message M-j make appear- 
ance in precedence with the correct value of the tally $<\ making no appearance at a given time point in the course of 
the processing. At this given time point, the hash value e 1 can be determined definitely in accordance with the expres- 
sion (4). After this time point, the value of the tally s-| satisfying the conditions given by the expressions (2) and (3) must 
be determined. However, it will never occur that the correct output value of the tally s 1 makes appearance at first, being 
then followed by determination of the value for the coordinate x 1 . This is because "h" in the expression (3) represents 
the hash function and the correct output value of x 1 can make appearance before the output value of n is determined 
precedingly. Besides, such case will not occur in which the correct output value of x 1 makes appearance in precedence 
and thereafter the value of s-, is determined. Because, if otherwise, the expression (2) can be solved concerning the 
unknown s 1( that is, the discrete logarithm problem concerning the addition on the ellipse can be solved, which contra- 
dicts however the proposition stated hereinbefore. In other words, the value of s 1 can not be determined at any time 
point. Thus, the situations corresponding to the Cases 5 and 6 can not occur. 

Thus, there occurs none of the situations corresponding to the Cases 1 to 6 mentioned previously. Thus, the algo- 
rithm AL 3 does not exist. 

Now, the demonstration is concluded. 

By the way, it should be noted that in conjunction with the demonstration of the Proposition 1 that the algorithm AL 3 
may exist unless the Proposition 1 that l n £ / H applies valid. 

To say in another way, if the condition l n < l H should hold true, there may arise such situation that the message 
and the single digital signature (r 1f s-,) for which the single digital signature verifying algorithm AL{ outputs "authenti- 
cated" can be generated without knowing the private key d. 

By way of example, let's suppose that in the computation "s = k + d(r + e) (mod n)", the value of £ n is small and 
hence the value of n is small. Then, the collision-free property of hash value e = H(M) (mod n) may collapse, incurring 
such case where computation is performed such that the tally s can assume a same value for messages M and M* not- 
withstanding of the fact that the message M is not same as the message M', i.e., M * M\ as exemplified below. 

Let's suppose, by way of example, that the messages M and M* are written applications for purchasing a car. 
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Message M 

To FT J#&»GH Sales Company 

I will purchase the car A at 1,050,000 yens. 

To be signed by Takaraai 



Message M' 

To IG#. Hy8(Jk) Sales Company 

I will purchase the car A at 2,050,000 yens. 

To be signed by Takaraai 



Again suppose that the malicious sales company prepared the written application for purchase such as the mes- 
sage M and handed it over to Mr. Takaragi under the false pretense that the leading character string "FT J# • GH" is 
added for the purpose of ensuring security and that Mr. Takaragi signed the written application (message M) with pleas- 
ure because of low price of the car A. Later on, Mr. Takaragi receives a bill demanding payment of 2,050,000 yens 
together with the exhibit of the message M' affixed with his signature, to his great surprise. However verification of the 
message M* shows that Mr. Takaragi has signed the written application or message M\ 

In order to exclude positively the injustice such as mentioned above, it is necessary that H represents the hash 
function which has not only the one-way property but also the collision-free property and that the parameter n relevant 
to the elliptic curve relation is assigned with a large value for validating the condition that / n £ l H - 

It should be additionally mentioned in conjunction with the "Demonstration" described above that the hash function 
h may be only of the one-way property and need not necessarily have the collision-free property. However, in case the 
hash function h is not of the one-way property, the values which can satisfy the condition given by the expression (3) 
may be found by arithmetically determining a variety of values for x by changing s and M while fixing £ in the expression 
(2). The message M and the signature (s, r) found in the way may constitute forged message and signature. For this 
reason, it is necessarily required that the hash function fa is of the one-way property. 

Moreover, according to the teaching of the invention, the length of the digital signature can be shortened. 

More specifically, the single digital signature (r 1f Sj) has a bit length equal to £ n + l H !2 (e.g. 240 bits), and thus the 
length of the signature can be shortened when compared with the conventional signature length l n + / n (e.g. 320 bits). 
Furthermore, the length of the duple digital signature (r 1( r 2 , S2) is (/ n + V 2 + V 2 ) bits (e.g. 320 bits), which is signif- 
icantly shorter than the length of the conventional signature l n + l n + l n (e.g. 480 bits). 

Proposition 2 

It is presumed that the discrete logarithm problem concerning the addition on the elliptic curve can not be solved. 
Additionally it is assumed that the hash function H( • ) of £ H bits has the collision-free property as well as the one-way 
property. Furthermore, it is presumed that the hash function h( • ) of bits has the one-way property as well. In that 
case, so long as l n £ l H , there exists no algorithm AL4 which can output the duple digital signature (r 1 , r 2 , s 2 ) for which 
the algorithm AL 2 outputs "authenticated" without knowing the private key d v 

Demonstration 

Now, it is supposed that such algorithm AL4 exists which generates the duple digital signature (r 1( r 2 , s 2 ) for which 
the verification processing according to the algorithm AL 2 ' outputs "authenticated" without knowing both the private key 
d 1 and the private key cfe. Namely presumption is made as follows: 

Input to the processing AL4: 

system key (base point) P, and public keys Q 1 and Q 2 , and 
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Output from the processing AL4: 

messages M 1 and M 2 , duple digital signature (r 1t r 2 , 83), 

where the duple digital signature (r 1t r 2 , S2) satisfies the following conditions: 

e 1 o H(M-,) (4) 

e 2 = H(M 2 ) (5) 

(x 2 ,y 2 ) = s 2 P-(e 1 +r 1 )Q 1 -(e 2 +r 1 +r 2 )Q 2 (6) 

r 2 «h(x 2 ) (7) 

In the course of executing the processing according to the algorithm AL4, the correct output values make appear* 
ance in either one of the sequences mentioned below: 

Case 1 : Correct output values make appearance in the sequence of s 2 , r 1 and r 2 . 
Case 2: Correct Output values make appearance in the sequence of r 1 , S2 and r 2 . 
Case 3: Correct output values make appearance in the sequence of s 2 , r 2 and r 1 . 
Case 4: Correct output values make appearance in the sequence of r 2 , s 2 and ^ . 
Case 5: Correct output values make appearance in the sequence of r 1 , r 2 and S2. 
Case 6: Correct output values make appearance in the sequence of r 2 , r 1 and s 2 . 

In conjunction with the Case 1 to 6 mentioned above, it is noted that the computation sequence that the correct out- 
put value of the tally r 2 is determined in accordance with the expression (7) only after the correct output value of the 
coordinate ;< has made appearance is common to all the Case 1 to 6. If otherwise, it contradicts the presumption that 
the hash function h is of the one-way property. 

Additionally the computation sequence that the hash values e<\ and e 2 are determined in accordance with the 
expressions (4) and (5), respectively, only after the correct output values of the messages M 1 and M 2 have made 
appearance is also common to the all the aforementioned Cases 1 to 6. If otherwise, it contradicts the presumption that 
the hash function H is of the one-way property and collision-free. 

In the Cases 1 and 2, the correct output values of the tallies s 2 and r 1 make appearance at f irst at a given time pant 
in the course of executing the processing whereas the correct output value of the tally r 2 makes no appearance. After 
the above-mentioned given time point, the tally r 2 which satisfies the condition given by the expression (6) must be 
determined. In this conjunction, however, the following facts (a), (b) and (c) have to be taken into account. 

(a) Such situation does not occur in which the correct output value of the tally r 2 makes appearance finally after the 
appearance of the correct hash values e-j and e 2 . More specifically, the computation sequence in this case will be 
such that the value of the coordinate x 2 is determined and then the tally r 2 determined. However, this means that 
the equation (6) can be solved with the tally r 2 as the unknown, which contradicts the presumption that the discrete 
logarithm problem on the elliptic curve is insolvable. 

(b) Such situation can not occur that the correct hash value e 2 is outputted only after the appearance of the correct 
output values for the hash value and the tally r 2 , because, if otherwise, the equation (6) is solved with the hash 
value e 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the elliptic 
curve is insolvable. 

(c) Such situation can not occur that the correct output value for the hash value e 1 makes appearance only after 
the appearance of the correct output voltages for the hash value e 2 and the tally r 2 , because, H otherwise, the equa- 
tion (6) is solved with the hash value e 2 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insolvable. 

In the Cases 3 and 4, the correct Output values of the tallies s 2 , r 2 and x 2 make appearance at first at a given time 
point in the course of executing the processing, whereas the correct output value of the tally r 2 makes no appearance. 
After the above-mentioned given time point, the tally r<\ which satisfies the condition given by the expression (6) must 
be determined. Such situation does not occur in which the correct output value of the tally ^ makes appearance finally 
after the appearance of the correct hash values e 1 and e 2 . Supposing that the correct output value for the hash value 
e 2 makes appearance finally, then it follows: 

(i) If the private keys d t and d 2 are known, the expression (6) can be modified as follows: 
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(x 2 , y 2 ) = {s 2 -d^+r^JP - (e 2 +r 1+ r 2 )Q 2 (8) 

The above equation (8) is solvable with a tally r 1 as the unknown, which of course contradicts the presumption that 
the discrete logarithm problem on the elliptic curve is insolvable. 
5 (ii) If the private key cfe is known with the private key being unknown, the expression (6) can be modified as fol- 
lows: 

(x 2> y 2 ) = {s 2 -d^e^+r^P - (e 1 +r 1 )Q 1 (9) 

ro The above equation (9) is solvable with the tally r<| as the unknown, which is in contradiction to the presumption that 
the discrete logarithm problem on the elliptic curve is solvable. 

(iii) When neither the private key d 2 nor the private key d 1 is known, the equation (6) is solvable with the tally r 1 as 
the unknown, which is in contradiction to the presumed insolvability of the discrete logarithm problem on the elliptic 
curve. 

75 

In view of the foregoing, it can be concluded that the correct output value for the tally r t can not make appearance 
finally after the output of the correct hash values e 1 and e 2 . 

(b) Such situation can not occur that the correct output value for the hash value e 1 makes appearance only after 
20 the appearance of the correct output voltages for the hash value e-j and the tally r-j , because, if otherwise, the equa- 
tion (6) is solved with the hash value e 1 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insotvable. 

(c) Such situation can not occur that the correct output value for the hash value makes appearance only after 
the appearance of the correct output voltages for the hash value e 1 and the tally r-, , because, if otherwise, the equa- 

25 tion (6) is solved with the hash value 62 as the unknown, which of course contradicts the presumption that the dis- 
crete logarithm problem on the elliptic curve is insotvable. Thus, Cases 3 and 4 can not occur. 

In the Cases 5 and 6, the correct output values of the tallies r 1 , r 2 and x 2 make appearance at first at a given time 
point in the course of executing the processing whereas the correct output value of the tally s 2 makes no appearance. 

30 After the above-mentioned given time point, the tally S2 which satisfies the condition given by the expression (6) must 
be determined, fn this conjunction, however, the following facts (a), (b) and (c) have to be taken into account. However, 
in that case, (a) such situation does not occur in which the correct output value of the tally S2 makes appearance finally 
after the appearance of the correct hash values e 1 and e 2 . Because, this means that the equation (6) can be solved with 
the tally s 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the elliptic curve 

35 is insolvable. Further, (b) such situation can not occur that the correct hash value e 2 is outputted only after the appear- 
ance of the correct output values for the hash value e 1 and the tally s 2 , because, if otherwise, the equation (6) is solved 
with the hash value e 2 as the unknown, which contradicts the presumption that the discrete logarithm problem on the 
elliptic curve is insolvable. Furthermore, (c) such situation can not occur that the correct output value for the hash value 
e 1 makes appearance only after the appearance of the correct output voltages for the hash value e 2 and the tally s 2 , 

40 because, if otherwise, the equation (6) is solved with the hash value e 1 as the unknown, which of course contradicts the 
presumption that the discrete logarithm problem on the elliptic curve is insolvable. Thus, Cases 5 and 6 can not occur. 

From the foregoing, it is concluded that none of the Cases 1 to 6 can occur and thus the algorithm AL4 does not 
exist 

Now, the demonstration is concluded. 
45 As will now be appreciated from the foregoing description, there have been provided a public key encryption 
method of high security and a system for carrying out the same. 

Further, with the public key encryption method and the system according to the invention, the length of the digital 
signature can be shortened. 

Additionally, according to the present invention, the public key encryption method and the system can be so real- 
so ized that the length of the digital signature has no dependency on the length of the order of the base point (system key). 
Many features and advantages of the present invention are apparent from the detailed description and thus it is 
intended by the appended claims to cover all such features and advantages of the system which fall within the true spirit 
and scope of the invention. Further, since numerous modifications and combinations will readily occur to those skilled 
in the art, it is not intended to limit the invention to the exact construction and operation illustrated and described. 
55 Accordingly, all suitable modifications and equivalents may be resorted to, falling within the spirit and scope of the inven- 
tion. 
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Claims 

1. A digital signature generating method tor generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e = H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random number a second hash value (r) 
satisfying a condition that r « h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (hi); and 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined. 

2. A digital signature generating method according to claim 1 , 

wherein for generating a digital signature , sj) for a given message (M 1 ), said method comprises the steps 

of: 

determining a hash value (e^ satisfying a condition that e-\ = H(Mi) by using a first hash function (H); 
generating a random number 0c,); 

determining a point (R-| (= k-jP)) by multiplying a point (P) of an abelian group by said random number (kj); 

determining a first numerical value (n) satisfying a condition that ^ = h(RJ by using the second hash function 

(h) whose output value is shorter than the output value of the first hash function (H); 

determining a second numerical value fa) satisfying a condition that = ki + d-i (e 1 + (mod n) by using the 

order (n) of said point (P) of said abelian group and a private key (d^; and 

outputting a set of said determined numerical values (r 1( s-,) as a digital signature. 

3. A digital signature generating method according to claim 1 , 

wherein said point (P) of said abelian group corresponds to a base point (P) on an elliptic curve. 

4. A digital signature verifying method for verifying a digital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e = H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r, s), 
a public key (Q) and a base point (P) a second hash value (f) satisfying a condition that f = h(x) from said first 
hash value (e), said digital signature (r, s), said base point (P) and said public key (Q) by using a second hash 
function (h) whose output value is shorter than that of said first hash function (H); and 
comparing said hash value (r') with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

5. A digital signature verifying method according to claim 4, 

wherein for verifying a digital signature , s A ) of a given message (M 1 ), said method comprises the steps of: 

determining a hash value (e^ satisfying a condition that e t = HfMj); 

inputting a public key (Qj) generated previously so as to satisfy a condition Q 1 = djP, where d 1 represents a 
private key, said public key (Qt) having been registered; 

determining arithmetically a point (fy) of an abelian group, said point (R being given by = s-|P - (e^ + 
ri)Qi; 

determining a hash value (r^ satisfying a condition that ry = hfRj); 

outputting a data indicating that said digital signature is authenticated, when said hash value (r,') coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless said hash value (r^) coincides 
with said tally (r<|) of said digital signature. 

6. A digital signature verifying method according to claim 5, 

wherein said abelian group includes an elliptic curve. 
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7. A digital signature generating method for generating a multiple digital signature authenticating electronically signa- 
tures affixed to messages and/or comments (Mj) as created and/or added sequentially by N users i (where i = 1 

N) by using a public key encryption scheme, comprising the steps of: 

(a) determining for a given one of said messages (M j) a first hash value (ej) satisfying a condition that e, » H(Mj) 
by using a first hash function (H); (b) determining for a numerical value (xj obtained 
from translation of a random number a second hash value (fj) satisfying a condition that r t = h(X|) by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said computation steps (a) and (b) for each of said users i (where i » 1 , .... N); and 

(d) determining arithmetically said multiple digital signatures on the basis of the hash values (ej and r$ deter- 
mined in said execution step (c). 

8. A multiple digital signature generating method according to claim 7, 

wherein for generating said multiple digital signature by users i (i £ 2), said method comprises the steps of: 

inputting a set of numerical values (Xj_ 1( Yj_i) obtained from translation of random numbers; 

computing a hash value ej = H(Mj) ; 

generating a random number K; 

computing a point kjP = (x, y); 

computing a point (x h yj) = (x^, y M ) + (x, y); 

computing a hash value r } = h(Xj) ; 

determining by using a private key (dj) a tally (s;) satisfying a condition given by following expression: 

/ 

s, = s M + k } + df (e, + £ r k ) (mod n) ; 

k-1 



and 

outputting a set of numerical values r jf Sj) as said multiple digital signature. 

9. A digital signature verifying method for verifying a multiple digital signature authenticating electronically signatures 
affixed to messages and/or comments (Mj) as created and/or added sequentially by N users i (where i = 1 , .... N) 
by resorting to a public key encryption scheme, comprising the steps of: 

(a) determining for the inputted message (Mj) a first hash value (ej satisfying a condition that & ( = H(M,) by 
using a first hash function (H); 

(b) determining for a numerical value (xj obtained by arithmetic operation of an inputted multiple digital signa- 
ture (rj, S|), a public key (Q) and a base point (P), a second hash value (r{) satisfying a condition that r,' = h(Xj) 
on the basis of said first hash value (ej), said digital signature (r jt Sj), said base point (P) and said public key (Q) 
by using a second hash function (h) whose output value is shorter than that of said first hash function (H); 

(c) executing said steps (a) and (b) for each of said users i (where i represents integers T to "NT inclusive, 
respectively); and 

(d) comparing each of said hash values (r,') determined in said step (c) with each of tallies (r) of said inputted 
multiple digital signature to thereby obtain results of verification of said inputted digital signature. 

10. A multiple digital signature verifying method according to claim 7, 

wherein for generating a multiple digital signature by users i (i £ 2), said method comprises the steps of: 

inputting (i - 1) messages and/or comments (M 1 M M ) and (i - 1)-tuple digital signature (r 1t .... r M , s^) 

issued by an immediately preceding user (i - 1); 

repeating computation of hash values % = HfMk), where k represents 1 to (i - 1); 

inputting repetitionally public keys Q k generated so as to satisfy a condition that Q k o c^P and registered pre- 
viously, where k represents 1 to (i - 1); 
computing a point (FVi) of an abelian group in accordance with 



EP0B40 478A2 



M k 

computing a hash value r'^ = fifR^) ; 

issuing data indicating "authenticated" when said hash value (r i . 1 ') coincides with a tally (r M ) of said (i - 1) -tuple 
digital signature (i.e., when r M * « rj^) ; and 

issuing data indicating "not-authenticated" unless said hash value (r M *) coincides with said tally (rj.i)(i.e., when 

1 1 . A digital signature verifying method according to claim 1 0, 

wherein said abelian group includes an elliptic curve. 

12. A digital signature generating system for generating a digital signature authenticating electronically a signature 
affixed to a given message (M) by resorting to a public key encryption scheme, comprising: 

processing means for determining for said message (M) a first hash value (e) satisfying a condition that e = 
H(M) by using a first hash function (H); 

processing means for determining for a numerical value (x) obtained from translation of a random number a 
second hash value (r) satisfying a condition that r = h(x) by using a second hash function (h) whose output 
value is shorter than that of said first hash function (H); and 

arithmetic/output means for arithmetically determining and outputting said digital signature by using said first 
hash value (e) and said second hash value (r) as determined. 

13. A digital signature generating system according to claim 12, 

wherein for generating a digital signature (r 1( s^ for a given message (M-,), said system comprises: 

means for determining a hash value (e t ) satisfying a condition that ei = H(M-,) by using the first hash function 
(H); 

means for generating a random number (kf); 

means for determining a point (Ri (= kiP)) by multiplying a point (P) of the abelian group by said random 
number (ki); 

means for determining a first numerical value (r,) satisfying a condition that r t = hfR^ by using the second 

hash function (h) whose output value is shorter than that of said first hash function (H); 

means for determining a second numerical value (s^ satisfying a condition that s 1 = kj + d 1 fa + r-,) (mod n) 

by using order (n) of said point (P) of the abelian group and a private key (d^; and 

means for outputting a set of said determined numerical values (r 1( s-|) as a digital signature. 

14. A digital signature verifying system according to claim 13, 

wherein said abelian group corresponds to an elliptic curve 

15. A digital signature verifying system for verifying a digital signature authenticating electronically a signature affixed 
to a given message (M) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for determining for said given message (M) a first hash value (e) satisfying a condition 
that e = H(M) by using a first hash function (H); 

second arithmetic means coupled to said first arithmetic means for determining for a numerical value (x) 
obtained from arithmetic operation of an inputted digital signature (r, s), a public key (Q) and a base point (P) 
a second hash value (r*) satisfying a condition that r* = h(x) from said first hash value (e), said digital signature 
(r, s), said base point (P) and said public key (Q) by using a second hash function (h) whose output value is 
shorter than that of said first hash function (H); and 

verification result output means coupled to said first and second arithmetic means for comparing said hash 
value (f) with a tally (r) of said inputted digital signature to thereby obtain a result of verification of said inputted 
digital signature. 

16. A digital signature verifying system according to claim 15, 

wherein for verifying a digital signature (n, , ${) of a given message (Mj), said system comprises: 
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means for determining a hash value (e^ satisfying a condition that e 1 = H(M t ); 

means for inputting a public key (Q^ generated previously so as to satisfy a condition = d-jP, where d 1 rep- 
resents a private key, said public key (G^ having been registered; 

means for determining arithmetically a point (Rf) of an abelian group, said point (Rj) being given by R 1 = s-jP 
-(e^r^; 

means for determining a hash value Oi*) satisfying a condition that n* = h(R.|); 

means for outputting a data indicating that said digital signature is authenticated, when said hash value (r{) 
coincides with a tally Oi) of said digital signature; and 

means for outputting data indicating that said digital signature is not authenticated unless said hash value OY) 
coincides with said tally Oi) of said digital signature. 

17. A digital signature verifying system according to claim 16, 

wherein said abelian group includes an elliptic curve. 

18. A digital signature generating system for generating a multiple digital signature authenticating electronically signa- 
tures affixed to message and/or comments (Mi) as created and/or added sequentially by N users' units i (where i = 
1 N) by using a public key encryption scheme, comprising: 

first processing means for determining for a given one of said messages (MJ a first hash value (ej) satisfying a 
condition that e = H(Mj) by using a first hash function (H); 

second processing means for determining for a numerical value (xj) obtained from translation of a random 
number a second hash value (r|) satisfying a condition that r { = h(Xj) by using a second hash function (h) whose 
Output value is shorter than that of said first hash function (H); 

third processing means for executing the processings of said first and second processing means for each of 
said users' units i (where i » 1 N); and 

arithmetic/output means for determining arithmetically said multiple digital signature on the basis of said hash 
values (ej and rj) determined by said third processing means. 

19. A multiple digital signature generating system according to claim 18, 

wherein for generating said multiple digital signature, each of said users' units i (i £ 2) includes: 

means for inputting said set of numerical values (x M , Y^) obtained from the translation of random numbers; 
means for computing a hash value given by B\ = H(Mj); 

means for generating a random number kg; means for computing a point given by kjP = 

(x, y); 

means for computing a point given by (Xj, tf) =» (x^, y^) + (x, y); 
means for computing a hash value given by rj = h(xj) 

means for determining by using a private key (dj) a numerical value (Sj) satisfying a condition given by 
s, = s M + k; + d f (e,. + £ r k ) (mod n) ; 



and 

means for outputting a set of determined numerical values (r 1 r j( Sj) as the digital signature. 

20. A digital signature verifying system for verifying a multiple digital signature authenticating electronically signatures 
affixed to messages and/or comments (Mj) as created and/or added sequentially by N users's unit i (where i = 1 , 
N) by resorting to a public key encryption scheme, comprising: 

first arithmetic means for determining for the inputted message (Mj) a first hash value (ej) satisfying a condition 
that e; = H(Mj) by using a first hash function (H); 

second arithmetic means for determining for a numerical value (x{j obtained by arithmetic operation of the 
inputted multiple digital signature (r jt Sj), a public key (Q) and a base point (P), a second hash value {t{) satis- 
fying a condition that r{ = h(Xj) on the basts of said first hash value (e^ said digital signature (r jt Sj), said base 
point (P) and said public key (Q) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); 
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processing means for executing repetittonally the arithmetic operation of said first and second arithmetic 
means for each of said users's units i (where i represents integers "1 " to "N" inclusive, respectively); and 
verifying means for comparing each of said hash values (r^ determined by said processing means with each 
of tallies (r) of said inputted multiple digital signature to thereby obtain results of verification of said inputted dig- 
ital signature. 

21. A multiple digital signature verifying system according to claim 20, 

wherein for authenticating a multiple digital signature by users' units i (i £ 2), each of said users' units 
includes: 

means for inputting (i - 1) messages and/or comments (M 1 M M ) and (i - 1) -tuple digital signature r h 

1( Sj.-,) issued by an immediately preceding user's units (i - 1); 

means for repeating computation of hash values e* = HfMk), where k represents 1 to (i - 1); 
means for inputting repetitionally public keys Qk generated so as to satisfy a condition that Q k = d k P and reg- 
istered previously, where k represents 1 to (i - 1); 
means for computing a point (R^) of an abelian group in accordance with 

M k 
(*m)-s m *-L<e*+ E r m )Q k ; 

*«1 M-1 



means for computing hash values r^' = h (R^); 

means for issuing data indicating that said multiple digital signature is authenticated when said hash value (r;. 
1 ') coincides with a tally (r^) of said (i - 1)-tuple digital signature (i.e., when r M ' = rj.i), while issuing data indi- 
cating that said multiple digital signature is not-authenticated unless said hash value (r M ') coincides with said 
tally (r M )(i.e., when r M ' * r M ). 

22. A digital signature verifying system according to claim 21 , 

wherein said abelian group includes an elliptic curve. 

23. A computer-readable recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for generating a digital signature authenticating electronically a 
signature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gen- 
erating method comprising the steps of: 

determining for said message (M) a first hash value (e) satisfying a condition that e = H(M) by using a first hash 
function (H); 

determining for a numerical value (x) obtained from translation of a random number a second hash value (r) 
satisfying a condition that r = h(x) by using a second hash function (h) whose output value is shorter than that 
of said first hash function (H); and 

arithmetically determining and outputting said digital signature by using said first hash value (e) and said sec- 
ond hash value (r) as determined. 

24. A computer-readable recording medium for storing a program which is composed of instructions executed by a 
computer and which is for carrying out a method for verifying a digital signature authenticating electronically a sig- 
nature affixed to a given message (M) by resorting to a public key encryption scheme, said digital signature gener- 
ating method comprising the steps of: 

determining for a numerical value (x) obtained from arithmetic operation of an inputted digital signature (r, s), 
a public key (Q) and a base point (R), a second hash value (r*) satisfying a condition that r* = h(x) on the basis 
of said first hash value (e), said digital signature (r, s), said base point (P) and said public key (Q) by using a 
second hash function (h) whose output value is shorter than that of said first hash function (H); and 
comparing 6aid hash value (0 with a tally (r) of said inputted digital signature to thereby obtain a result of ver- 
ification of said inputted digital signature. 

25. A method of generating and verifying a digital signature using a public key encryption scheme in a system in which 
a digital signature is generated by a given one computer and transmitted via a network to another computer to be 
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verified thereby, 

for generating a digital signature (r 1( for a given message (M^ by said given one computer 
determining a hash value (e-j) satisfying a condition that e 1 = H(hA^) by using a first hash function (H); 
generating a random number (kj ) ; 

determining a point (Ri (« ^P)) by multiplying a point (P) of an abelian group by said random number (k^; 
determining a first numerical value (r } ) satisfying a condition that r-, = hfRj) by using a second hash function 
(h) whose output value is shorter than that of said first hash function (H); 

determining a second numerical value (Sj) satisfying a condition that s 1 = kj + 6^ (e t + r^ (mod n) on the basis 
of the order (n) of said point (P) of said abelian group and a private key (d-|); and 

sending a set of said determined numerical values (r 1( s^ as a digital signature to said another computer via 
said network; and 

tor verifying said digital signature , s^ by said another computer, 

fetching said digital signature (r<, , s^ sent from said given one computer, a base point (P), a public key (Q) and 
order (n) from a public file; 

determining a hash value (e^ satisfying a condition that e 1 = H(M 1 ); 

inputting a public key (Qi) generated previously so as to satisfy a condition Q 1 = d-,P, where d 1 represents a 
private key; 

determining arithmetically a point (F^) of an abelian group, said point (R J being given by R 1 = - (e 1 + 

'i)Qi; 

determining a hash value (r^ satisfying a condition that = h(R 1 ); 

outputting a data indicating that said digital signature is authenticated, when said hash value (r 1 ') coincides 
with a tally (r) of said digital signature; and 

outputting data indicating that said digital signature is not authenticated unless said hash value OY) coincides 
with said tally (r-t) of said digital signature. 
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FIG. 2A 
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